scrounge-ntfs
Scrounge-ntfs is a data recovery program for NTFS filesystems that reads each block of the hard disk to rebuild the original filesystem tree into a directory. It helps retrieve data from corrupted NTFS partitions and is useful in forensics investigations.
Description
Scrounge NTFS is designed to recover data from NTFS filesystems, particularly when partitions are corrupted. It operates by reading every block on the disk and attempting to reconstruct the original directory structure. This makes it a valuable tool for situations where standard file recovery methods fail due to filesystem damage.
The tool is especially useful in forensics investigations, where preserving and retrieving data from damaged drives is critical. It can scrounge files from raw disk partitions specified by sector ranges, allowing investigators to output recovered files to a designated directory.
Key features include listing drive partitions, searching for NTFS partitions, and manual specification of MFT offset, cluster size, and output directory for precise recovery operations.
How It Works
Scrounge-ntfs reads each block of the specified disk or partition, scanning for NTFS structures to rebuild the original filesystem tree. It uses parameters like MFT offset (in sectors), cluster size (default 8 sectors), and sector ranges (start to end) to locate and extract files, writing them to an output directory without relying on the intact filesystem metadata.
Installation
sudo apt install scrounge-ntfsFlags
Examples
scrounge-ntfs -l diskscrounge-ntfs -s diskscrounge-ntfs disk start endscrounge-ntfs -m mftoffset disk start endscrounge-ntfs -c clustersize disk start endscrounge-ntfs -o outdir disk start endscrounge-ntfs -m mftoffset -c clustersize -o outdir disk start end